Splunk Search

Cannot put a date string into outputcsv filename argument

jpanderson
Path Finder

I want to run a report each hour, this report returns a single row. I want to create a separate csv file for each day, which will have 24 rows. The index is tracking iis logs, and basically the query below is calculating the percentage of total downloads taken up by a specific type of swf file (filtered by "a_action").

Originally I was trying to use the "TIME" variable in the subsearch, but I realised the subsearch was being ran first so the TIME variable didn't exist, so I changed it to another relative time. I am using relative times as the query is ran at the end of the hour, and analyses the data for the hour before, so I want the time value for the query to be the hour before it is ran. Even if I just use a "now()" call, the query still fails.

Some field values have been anonymised, where this is the case I've used the asterisk sign and capital letters.

index=iis a_app=*APP* | eventstats sum(sc_bytes) as TOTAL_BYTES | where like(a_action, "*APP*.swf") 
      | eventstats sum(sc_bytes) as SWF_BYTES | eval PERCENTAGE = SWF_BYTES/TOTAL_BYTES*100 | eval TIME=relative_time(now(),"-60m") 
      | stats values(TIME) as DATE_TIME, values(TOTAL_BYTES) as TOTAL_BYTES, values(SWF_BYTES) as SWF_BYTES, values(PERCENTAGE) as PERCENTAGE 
      | outputcsv append=true 
        [ | stats count | eval FILENAME=strftime(relative_time(now(),"-60m"),"swf_download_%d_%m_%Y") | fields FILENAME ]

So basically everything before the outputcsv function works, the subsearch in the outputcsv function should return a string such as "swf_download_14_01_2016", however the search fails, and I get the following errors:

Error in 'outputcsv' command: Invalid argument: '('
The search job has failed due to an error. You may be able view the job in the Job Inspector.

When I run the subsearch on its own it does return the correct string "swf_download_14_01_2016", so I am confused as to why this string is not returning and being used as the csv filename.

Thanks.

0 Karma
1 Solution

kurdbahr
Path Finder

The result of your subsearch is formatted as ( ( FILENAME="swf_download_14_01_2016" ) ).

Try return $FILENAME instead of fields FILENAME.
See also:
https://answers.splunk.com/answers/85395/earliest-or-latest-time-in-outputcsv-filename.html#answer-9...

Or add | format "" "" "" "" "" "" after fields FILENAME.

View solution in original post

kurdbahr
Path Finder

The result of your subsearch is formatted as ( ( FILENAME="swf_download_14_01_2016" ) ).

Try return $FILENAME instead of fields FILENAME.
See also:
https://answers.splunk.com/answers/85395/earliest-or-latest-time-in-outputcsv-filename.html#answer-9...

Or add | format "" "" "" "" "" "" after fields FILENAME.

jpanderson
Path Finder

Return worked. I saw that answer earlier and forgot about the return variation as well!

Thanks a lot!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...